authenticate user via ldap bind

Russ Allbery eagle at eyrie.org
Mon May 29 11:12:40 EDT 2023


"John Alex. via Kerberos" <kerberos at mit.edu> writes:

> In this instance, user passwords are stored in our LDAP server
> (OpenLDAP), hashed. All our services currently validate user credentials
> by attempting an LDAP bind either directly or via another protocol
> implementation (Shibboleth IdP, FreeRADIUS, Keycloak etc).

> So my question is, is there a way to implement kerberos without
> knowledge of the plaintext passwords, or do we have to somehow capture
> the credentials during users' login to other services and then sync them
> to the kdc db?

Unfortunately, although Kerberos also stores all of the passwords hashed,
the hashing algorithm used by Kerberos is almost certainly different than
the hashing algorithm used by LDAP.  You therefore need the cleartext
password in order to create the KDC entry, since the point of hashing is
that it's not reversible.  The only exception would be if somehow Kerberos
could be convinced to use the same hashing algorithm as LDAP, but I don't
think that's the case.  (The client and the KDC have to agree on a hashing
algorithm, so this isn't a simple thing to do.)

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list